In order to adhere to applicable laws, regulations, and industry standards of insurability, all College-owned Information Technology adheres to the following endpoint security requirements:
- The College’s Center for Information Technology manages the Information Technology with a Configuration Management System.
- Information Technology employs full disk encryption with Institutional key escrow.
- Each piece of Information Technology has unique, non-shared logins for each individual accessing the device.
These endpoint security requirements serve to protect the College community’s research, intellectual property, non-public information, and availability of systems and services.
Process for Obtaining an Exception to Endpoint Security Requirements
While the aforementioned requirements apply to all Information Technology, there are limited circumstances in which the College may grant discrete and individualized exceptions to a requirement(s). The College may grant exceptions when an individual establishes the following:
- a compelling business justification for the exception
- material negative business impacts that will occur without the exception to the particular endpoint security requirement(s)
- compensating controls to mitigate against any compromised security elements resulting from the exception
Individuals who wish to apply for an exception to College’s endpoint security requirements may do so by submitting an Endpoint Security Requirement Exception Request Form. A panel comprised of the Dean of the College of Arts and Sciences (or designee), the Dean of the Conservatory (or designee), and the Chief Information Technology Officer (or designee) will determine whether to grant an exception.
Regardless of when the College authorizes an exception, all exceptions to the endpoint security requirements will annually expire at the end of the College’s fiscal year, and individuals must resubmit a request for an exception each subsequent year.
The College may block or remove from the network any violations that circumvent or do not comply with the endpoint security requirements without a properly granted exception to the particular requirement(s), and such violations may be subject to a professional conduct review.